065d9f7442212d5a3249ab2a92971b81157f9e19c0577377511a6715d95415f2

Analysis

max time kernel
134s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.25095d2a5cae6b5ee97c3247a11da870.exe
Size

60KB
MD5

25095d2a5cae6b5ee97c3247a11da870
SHA1

52e9f4f2c6cde825e5024fd5b1c3c05e427b212c
SHA256

065d9f7442212d5a3249ab2a92971b81157f9e19c0577377511a6715d95415f2
SHA512

0913036e8479b9f402c3fac364f468309424c4ebff5b3847e3545a5e529828126a51554219bd47947b27d13532f01170a47226c9423b0c73fdd731e41e19a532
SSDEEP

768:di+lWpm1Up89+zxEbjakT725yBFkQF3CXnf0qOO5oCvxxm7ZytYRY0A1K/:SoUK9P3EA6cyXf0k5oby31

Score

3^/10

Malware Config

Signatures

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4620	1388	WerFault.exe	86
1372	1388	WerFault.exe	86

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	NEAS.25095d2a5cae6b5ee97c3247a11da870.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 4620	1388	NEAS.25095d2a5cae6b5ee97c3247a11da870.exe	94
PID 1388 wrote to memory of 4620	1388	NEAS.25095d2a5cae6b5ee97c3247a11da870.exe	94
PID 1388 wrote to memory of 4620	1388	NEAS.25095d2a5cae6b5ee97c3247a11da870.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.25095d2a5cae6b5ee97c3247a11da870.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.25095d2a5cae6b5ee97c3247a11da870.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 372
  2⤵
  - Program crash
  PID:4620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 372
  2⤵
  - Program crash
  PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1388 -ip 1388
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1388-1-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1388-2-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download